Detections
Analytics

Fedora 44 : composer (2026-9b34a78e81)

high Nessus Plugin ID 320957

Synopsis

The remote Fedora host is missing one or more security updates.

Description

The remote Fedora 44 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-9b34a78e81 advisory.

 ### Version 2.10.1 - 2026-06-04

 * Security: Fixed shell escaping when opening an editor (#12903)
 * Security: Verify backup phar signature before restoring it when using self-update --rollback (#12918)
 * Fixed `source-fallback` also disabling fallbacks to dist install when source is the preferred install method (#12888)
 * Fixed source -> dist package updates wiping the .git dir without checking for local changes first (#12912)
 * Fixed GitHub token prompt happening multiple times on parallel auth failures (#12913)
 * Fixed warnings from Composer repositories being printed twice in some cases (#12907)



 ----

 ## Version 2.10.0

 Read the [Composer 2.10 Release Announcement](https://blog.packagist.com/composer-2-10-release/) for more details on the release highlights.

 **Full Changelog**

 - BC Break / Security: Disabled automatic fallback to source checkout if dist/zip install fails, we have introduced a new source-fallback config option as a temporary way to restore the old behavior, but if you need this talk to us as we plan to remove it entirely in 2.11 (#12885)
 - BC Break: Minor break for audit consumers, the exit code is now always 0 (success) or 1 if anything failed the audit (#12881)
 - Security: Added dependency policies to block package versions where malware was detected on update/install or report it with audit (#12786)
 - Security: Hardened output filtering of URLs to reduce chances of token leaks (#12882, #12886)
 - Security: Fixed handling of uppercase schemes in URL validation that might have allowed https requirement bypass (#12884)
 - Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3)
 - Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77)
 - Security: Enforce allow-plugins even in non-interactive mode for very old pre-2.2 lock files (#12764)
 - Added support for temporary --with constraints with wildcards in the package name for the update command (#12658)
 - Added --strict-psr-autoloader flag to install and update commands (#12647)
 - Added source-fallback config option to disable or enable source fallback on download failure (#12698)
 - Added --require parameter to create-project to add new packages to the project as it gets installed (#12738)
 - Optimized plugin autoloading by avoiding regenerating classmaps for every package per plugin (#12696)
 - Optimized PoolOptimizer memory usage (#12783)
 - Optimized classmap dumping performance
 - Deprecated most of the audit config in favor of the new policy one (#12804, see #12786 for the RFC and upgrade docs)
 - Fixed update --bump-after-update to only bump packages that actually were updated (#12733)
 - Fixed GitHub API authentication errors not being visible to the user (#12737)
 - Fixed error reporting for clarity when a constraint cannot be parsed (#12743)
 - Fixed warning being shown when lock file is disabled (#12760)
 - Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758)
 - Fixed some platform package parsing failing when Composer runs in web SAPIs (#12735)
 - Fixed audit command returning a success code when the vendor dir was not present (#12880)

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected composer package.

See Also

https://bodhi.fedoraproject.org/updates/FEDORA-2026-9b34a78e81

Plugin Details

Severity: High

ID: 320957

File Name: fedora_2026-9b34a78e81.nasl

Version: 1.1

Type: Local

Agent: unix

Published: 6/13/2026

Updated: 6/13/2026

Supported Sensors: Continuous Assessment, Nessus Agent, Nessus

Vulnerability Information

CPE: p-cpe:/a:fedoraproject:fedora:composer, cpe:/o:fedoraproject:fedora:44

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 6/4/2026

Vulnerability Publication Date: 6/4/2026

Reference Information